security assessment case studies for implementing the nsa iam phần 9 pot

orga-Positive Findings Every finding during an assessment does not have to involve a negative bility.The assessment team should identify good security practices in addition tothe negativ

Vulnerability Classification

Deciding on the level of threat to or vulnerability of a customer is a somewhatsubjective process.This is another place in the IAM process that the assessors’INFOSEC experience is critical Whether the vulnerability is a High, Medium,

or Low depends greatly on the overall risk the vulnerability creates for the nization For example, if a vulnerability exists but there is no threat of exploita-tion of that vulnerability, the overall risk is Low If a vulnerability exists, a threatexists to exploit that vulnerability, and if it is on a critical system, a High levelrating should be considered for the finding Other designations may be consid-ered depending on the criticality of the systems, the likelihood and ease ofexploiting the vulnerability, and the type of threat involved All the informationgathered in the organizational information and system criticality processesdirectly tie to the overall risk factor determination for the organization

orga-Positive Findings

Every finding during an assessment does not have to involve a negative bility.The assessment team should identify good security practices in addition tothe negative vulnerabilities, to give the customer a sense of what they are cur-rently doing correctly.This gives the customer a sense that they at least havesome foundation on which to build their security program If you present onlynegative findings, the customer will possibly develop a negative attitude towardany suggestions you make Here are examples of acceptable and unacceptablepositive findings:

vulnera-■ Acceptable positive finding Customer ABC has demonstrated aresolve to provide a secure work environment through the use of amanaged firewall and intrusion detection systems that provide quickreporting of anomalies to the security administrator.The securityadministrator responds to the notification within two hours unless ahigher priority is placed on the identified incident

■ Unacceptable positive finding The customer break room has excellent coffee

Negative Findings

The reality of the assessment process is that most findings will be negative innature.This is due to the fact that the purpose of the assessment is to identify

vulnerabilities and make recommendations to improve an organization’s security

posture Findings and associated discussion should be clear on the finding’s

impact on the customer Common negative findings often seen during

assess-ments are managerial, technical, or operations related

Common Managerial-Related Findings

The common vulnerabilities seen from a managerial perspective include, but are

certainly not limited to, the following:

■ Lack of a comprehensive security policy

■ Lack of or out-of-date disaster recovery or business continuity plan

■ Lack of policy enforcement by the organization’s staff

■ Lack of senior management support for the security program

■ No defined roles and responsibilities for staff

■ No configuration management process

■ Security not a member of the configuration control board (CCB)

Common Technical-Related Findings

The common vulnerabilities seen from a technical perspective include, but are

certainly not limited to, the following:

■ Network architecture not secure

■ Firewalls improperly configured

■ No intrusion detection/intrusion prevention implemented

■ No redundancy on critical components

Common Operations-Related Findings

The common vulnerabilities seen from an operational perspective include, but

are certainly not limited to, the following:

■ No effective security training and awareness program in place

■ No initial security training on new hires

■ No background checks conducted on new hires

■ Critical systems not physically secured

■ Limited challenge of unbadged personnel

■ No identification required to be displayed when on site

Negative Finding Examples

The following are good and bad examples of negative findings, giving tion to the usefulness and level of detail of the finding:

considera-■ Acceptable negative finding The firewall configurations for tomer ABC should be reexamined to address the need for separation ofnetwork access to the various departments of ABC.The areas ABCshould consider separating are the Research and Development Lab,Human Resources, and the Technology Training Room.This separation,along with good firewall rules, will help reduce the visibility of criticalareas of the network

cus-■ Unacceptable negative finding Firewalls need to be reconfigured toprovide better security

Multiple Recommendations for Each Finding

Providing a customer with multiple recommendations to mitigate vulnerabilityallows them to choose the level of protection and cost point for each vulnera-bility.The assessment team cannot determine the final constraints on a customer,especially when it comes to cost and politics If you provide multiple recommen-dations to mitigate a single vulnerability, the customer can select the level ofsolution they ant to implement Providing multiple levels of recommendationsalso gives the customer a sense that they have some control over the security thatwill be implemented and the risk management process that ensues If the assess-ment team only provides the perceived “best” solution, the customer may not beable to implement the solution due to cost or other constraints that impact theorganization.There may also be times when there is only one solution available,and this should be indicated in the final report

Creating and

Formatting the Final Report

Everybody (well, maybe not everybody) hates documentation, but it is a critical

part of the assessment process.The final report presents the customer with the

formal documented results that are needed to show due diligence and their

progress for implementing their security program.The final report provides the

means to convey all findings, document the process, and provide a road map for

improving security A well-organized final report provides the best way to present

the assessment results

Yugo, Ford, and Cadillac

Anyone who has taken a Security Horizon IAM Training Course will remember the references to the Yugo, the Ford, and the Cadillac recom- mendations for mitigating vulnerabilities for a customer This presenta- tion provides a customer with options for implementation The following are general definitions for each level:

■ Yugo The low-end, low-cost solution that can be

imple-mented quickly and/or with minimal cost to provide a client with some level of protection Sometimes referred to as the

“Band-Aid” solution.

■ Ford The mid-level, mid-cost solution that requires more

planning and implementation than a Yugo solution but will provide a greater level of protection against threats to an existing vulnerability.

■ Cadillac The top-of-the-line solution that will provide the

greatest level of protection for the customer, but often at a high cost and/or high administration requirement to implement.

From the Trenches…

TERMINOLOGY ALERT

Due diligence is the process an organization goes through to ensure that

they are taking the appropriate and necessary steps to protect the assets

of the company or organization From a security perspective, due diligence involves taking the necessary steps to protect the operations and informa- tion from electronic theft, destruction, or alteration When a company is sued over a security incident, the courts look at whether that company took reasonable responsibility and steps to protect the resources from

known threats through identifying and mitigating vulnerabilities.

In creating the final report, your primary purpose is to create a formal ment that provides details about the entire assessment process It identifies thepurpose of the assessment, the process used to conduct the assessment, the identi-fication of critical information, the identification of critical systems and systemconfiguration, the identification of vulnerabilities, and recommendations toimprove the organization’s security posture.The final report also takes care ofcontractual requirements for documenting the assessment and its results

docu-NSA provides a recommended format for the final report; however, there isflexibility in how the final report is presented.The NSA outline incorporates agood set of minimum requirements to include in the final report Let’s look atthose requirements

Executive Summary

The executive summary serves as a high-level introduction to the assessmentresults It should be clear that the executive summary will not be at the level ofdetail of the final report However, the executive summary is intended to standalone as a summary of the assessment to be readable by the customer

management staff

Executive Summary Content

The executive summary is meant to be a quick summary of the assessment andits findings.There should be enough information that it makes sense, but itshould be short enough that an executive can read it in 5 minutes or less tounderstand the results.The executive summary should include the followingtypes of information:

■ A brief description of the customer, mission, organizational structure,and number of employees.

■ A brief description of the assessment process and the purpose of theassessment Include the dates of the assessment.This might be a goodplace to reiterate that the assessment was not an inspection, audit, certifi-cation, or risk analysis

■ A statement about why the customer requested the assessment to beperformed

■ A statement that implementation of any recommendations contained inthe final report is strictly voluntary on the part of the customer’s man-agement

■ A brief description of the system or systems that were assessed toinclude sensitivity of the information

■ Major findings and recommendations found during the assessment

Detail will be included in the INFOSEC analysis section of the mainfinal report document

■ Highlight support provided and positive aspects of the customer’s organization

NOTE

The executive summary should be used to reiterate major findings, light the significant vulnerabilities identified, and highlight actions the customer is already taking to mitigate those vulnerabilities.

high-Introduction

The Introduction section should contain a detailed description and overview of

the assessment.This information is more detailed than the executive summary

and is intended to give the reader a complete picture of the assessment process

and the scope of the assessment It should include the following elements:

■ Information about the customer and the assessment company

■ A description of the assessment process

■ The purpose of the assessment

Customer and Assessment Company Information

The Introduction should include information about the mission and operations

of the customer being assessed.This information includes company name, ating locations of the customer, operating locations covered by the assessment,number of employees, and so forth.The information should be complete enough

oper-to show why the cusoper-tomer is in business and has the organization and systemsthey do for operations

It is also good to highlight who conducted the assessment and the expertise ofthe assessment team so that readers know the assessment was accomplished by aprofessional security company For example, highlighting that the assessment team istrained in the NSA IAM and other credentials, along with the types and number

of assessments previously conducted, will provide a sense of credibility to the tomer as well as identifying the benefit of the IAM assessment to the customer.Assessment Process Description

cus-The Introduction should include a description of the process used to conductthe assessment In our case, we describe the NSA IAM as the methodology used

to conduct the assessment and the basis for the assessment process Since this isthe main document, the assessment team can go into detail about the processused.These standard descriptions of the IAM process can be used with minorvariations in future IAMs

Important note: The IAM is a detailed and systematic way of examining cyber

vulnerabilities and was developed by experienced NSA and commercial

INFOSEC assessors NSA provided the IAM to assist both INFOSEC assessmentsuppliers and consumers requiring assessments with a framework for conductingeffective organizational security assessments.The IAM assessment provides orga-nizations with a comprehensive overview of their security posture for purposes

of implementing security countermeasures and improving their organizations’overall security In addition to assisting the governmental and private sectors, animportant result of supplying baseline standards for INFOSEC assessments is fos-tering a commitment to improve organizations’ security postures

Purpose of the Assessment

The Introduction should include a description of the reason that the customer

requested the assessment and the identified usage of the assessment results.This

again is a good place to identify that the assessment was not an inspection, audit,

or certification We also recommend that you identify how the assessment process

met the customer goals for the assessment

System Description

The System Description section should actually be a combination of information

about the organization’s critical information and critical systems along with an

actual description of the customer’s system(s) In this section, you should include

the following elements:

■ The importance of the customer mission

■ Identified critical information

■ Identified critical system information

■ A verbal description of the system being assessed

■ System diagrams

The Customer’s Mission Is Important

The System Description section should include discussion of the importance of

the customer’s mission and the services or products the customer provides.This

information is important to gain an understanding of why the customer’s critical

information is critical and why their critical systems are critical

Information Criticality

The System Description section should include a list of identified critical

infor-mation, the associated impact definitions, and the information criticality matrix

Detailed discussion should include information that will help the customer

understand what the information means (Information criticality is discussed in

detail in Chapter 3 of this book.)

The final report writers need to remember that the IAM results will be reviewed at a future date, and they should include enough detail in the description so that it can be understood by anyone reading the report Don’t assume that the matrix will be understood without a description.

System Criticality

Carry forward the system criticality information described in detail in Chapter 4

of this book.The writer should be able to refer to the definitions and criticalinformation elements described previously so that duplication is limited It may

be useful to describe why the subset of systems was selected and the overall usage

of each system

Actual System Description

A detailed description of the system or network is needed, including the uration of the system/network, number of workstations, number of servers, thetypes of hardware platforms, software and applications being utilized on the sys-tems, and the types of services (FTP,Telnet, and so forth) that are in use Alsoinclude in the description any firewalls, IDSs, and VPNs in use

A Picture Is Worth a Thousand Words

It seems cliché, but it is true—a picture is worth a thousand words For our poses, a system diagram goes a long way toward providing a better and clearerunderstanding of the system configuration Be sure to identify whether the dia-gram was created by the customer or by the assessment team.This is important,

pur-because a diagram created by the assessment team is an understanding of the

net-work, whereas one created by the customer should be indisputably accurate.

INFOSEC Analysis

The INFOSEC Analysis section identifies the organization’s security posture by

identifying vulnerabilities and the impact of those vulnerabilities on the

organi-zation.There is flexibility in how the vulnerabilities are presented to the

cus-tomer in the final report.Two commonly used options are:

■ Specifically use the 18 Baseline INFOSEC Classes and Categories, asdiscussed in Chapter 7 of this book

■ Organize the vulnerabilities by their impact to the customer, typically asHigh, Medium, or Low, while still noting from which of the INFOSECClasses and Categories the finding is derived

NOTE

Either way of listing the vulnerabilities is acceptable You may even find

a better way to list them In any case, the vulnerability listings must make some logical sense The downside of using the topic areas as the primary listing method is the fact that many findings cross over multiple topic areas If you organize them by impact and then list the topic areas from which the vulnerability came, the customer can already see the pri- oritization of the areas that need to be addressed A single vulnerability can address more than one topic area

Topic Areas

The topic areas that are to be addressed in the final report include the 18

Baseline INFOSEC Classes and Categories, discussed in Chapter 7, and any

agreed-on changes discussed with and approved by the customer.Table 10.1

pro-vides a recap of the 18 Baseline INFOSEC Classes and Categories

Table 10.1 Eighteen Baseline INFOSEC Classes and Categories

INFOSEC documentation Identification and Media controls

INFOSEC roles and authentication Labeling

responsibilities Account management Physical environment Contingency planning Session controls Personnel security Configuration Auditing Education training and management Malicious code awareness

protection Maintenance System assurance Networking/connectivity Communications security

Identifying the Findings

Findings are the identified customer vulnerabilities However, findings do nothave to be wholly negative In fact, it is highly recommended that you includesome positive findings in the final report to help emphasize good security prac-tices the customer can use to leverage additional security focus for their organi-zation For reporting purposes, the finding is a brief, clear statement of thevulnerability or good security practice identified

Discussion of the Findings

The Discussion section is a detailed description of the findings and their impact

on the organization.This discussion is an excellent educational tool to helpemphasize the importance of security to the customer

Recommendations for Improving Security PostureThe Recommendations section is a detailed description of the recommendationsfor the customer to improve their security posture for that specific finding.Hopefully, the assessment team is able to identify multiple recommendations foreach finding to provide the customer with options for improving their securityposture

The Conclusion section is intended to summarize the final report and provide

the customer with additional information on how they can direct questions or

gain more information about the findings and results Included in this section are

the following elements:

INFOSEC Analysis Section Example

Here is an example of a possible INFOSEC Analysis section entry:

■ Finding Disaster recovery plans incomplete and outdated.

■ Category INFOSEC documentation and contingency

plan-ning.

■ Severity High.

■ Discussion Disaster recovery plans provide the processes and

procedures necessary to restore critical services in the event of

an emergency The current disaster recovery plan is focused on premier site restoration and is out of date due to major

changes and closures within the network It also does not include critical telecommunications restoration information.

■ Recommended options

1 (Optimal) Develop an overall disaster recovery policy Based

on the policy, develop site-specific and/or system-specific aster recovery plans and procedures.

dis-2 Develop an IT-specific disaster recovery plan that addresses the systems that IT is directly responsible for implementing, man- aging, and maintaining Once developed, the plan should be tested minimally on an annual basis Incorporate the disaster recovery process into the incident response process.

3 Update the existing premier site disaster recovery plan to cover all critical systems within the infrastructure

From the Trenches…

■ A general description of the overall results and the level of additionalattention the customer needs to improve their security.This is where theassessment team finally makes a statement about the customer’s securityposture that is backed up by the assessment’s actual results.

■ Statements about how security can save money in the long run may beuseful If specific examples are available, include them here

■ Statements that recommendations are suggested guidelines, not ments, to help the company improve its overall security posture and thatimplementation of any of the recommendations should be at the discre-tion of the company’s management may be useful here

require-■ Positive statements about support and security practices are useful

■ Provide contact information for the assessment team

Delivering the Final Report

Do not overlook the importance of the final step of the process: delivering thefinal report A quality, visual presentation of the final report goes a long way towardmeeting customer expectations A sloppy report will leave the customer with anegative impression and could lead the report’s readers to believe that the assess-ment was conducted equally haphazardly Be sure to meet the deadline establishedfor the final report.This is important in meeting customer expectations

Cover Letter

On your own letterhead, create a deliverable letter that meets your contractualrequirements and provides a clear yet concise description of the assessment andthe appropriate points of contact for the assessment team.This cover letter is abusiness process item that utilizes the assessor’s letterhead and processes to for-mally deliver the final report Similar cover letters can likely be used for everyfinal report delivery

Attach the Assessment Plan

A copy of the customer-signed assessment plan should be attached to the finalreport as a record of the agreed-to scope used to conduct the assessment process.Since the assessment plan may change at various times throughout the process,the version attached should be a photocopy of the final version signed andagreed to by the customer, which includes all agreed-to changes made

throughout the process.This gives the assessment team and the customer an

opportunity to compare the resulting assessment to the agreed-on assessment,

helping both parties compare customer expectations, concerns, and constraints

Customer Acknowledgment

Make sure that you include some method of acknowledgment to encourage the

customer to accept the final report so that a permanent record can be made for

contractual purposes.This is important to prevent future misunderstandings or

confusion as to the acceptability of the assessment results and, of course, your

ability to get paid.The acknowledgment should be formal, requiring an original

signature.This can generally be accomplished via a deliverable acknowledgment

letter that the customer signs, stating that they have received and approved the

delivered document

Case Study: Analyzing Findings

for Important Internet Services

Provided, Inc.

Important Internet Services Provided, Inc (IISP), located in Turpentine,Texas, is

responsible for providing Internet services to a wide range of customers across

the United States IISP has departments supporting development and production

environments IISP provides provisioning support for user access on multiple

sys-tems, help desk support, and Tier 1 support

IISP asked Security Horizon to conduct an organizational (NSA IAM-based)security assessment Security Horizon conducted this assessment from May 1

through June 28, 2002.This assessment was not an inspection, accreditation,

cer-tification, or risk analysis It was a snapshot view of the existing security posture

within IISP.The results are intended to provide IISP with a plan of action to

improve security operations.The assessment team gathered information through

several means to obtain the indicated results.This process included interviews

with key IISP personnel, observations of existing practices, and a review of

avail-able documentation.Through these efforts, the team was avail-able to identify security

vulnerabilities and propose solutions to meet IISP security needs

The executive summary of the final report may look something similar tothe following

Executive Summary

Security Horizon was contracted by IISP to conduct an information securityassessment on the IISP operations in Turpentine,Texas.This assessment covered theorganizational considerations of information security IISP is responsible for pro-viding IT support for IISP internal operations.This responsibility includes supportfor the development and production environments IISP provides provisioning sup-port for user access on multiple systems, help desk support, and Tier 1 support.This information security assessment was conducted, at the request of IISP, todocument the current state of security (the security posture) in the IISP respon-sible networks, to give a basis for addressing vulnerabilities, and to gain SLT visi-bility into the information security issues that are affecting the IISP environment.The assessment was conducted from May 1–June 28, 2002.The assessment was

an analysis of the current state of security with the goal of improving securitywithin the IISP environment It was not an inspection, certification, or risk anal-ysis Security Horizon utilized the National Security Agency (NSA) InformationSecurity Assessment Methodology (IAM) to conduct the organizational portion

of the assessment Security Horizon utilized its extensive commercial and ernment experience and formal processes and procedures to conduct the tech-nical portion of the assessment Implementation of any of Security Horizon’srecommendations is strictly voluntary on the part of IISP and is at the discretion

gov-of the organization’s management.The implementation gov-of any recommendationscontained herein does not guarantee the elimination of all risks

The systems that were reviewed as part of this assessment included a nation of UNIX- and Windows-based servers, databases, Web servers, and work-stations providing a broad range of services.These systems were located in

combi-Turpentine,Texas; Sterling Silver, Virginia; and San Juan, California

The assessment highlighted several areas of concern within the IISP ment Detailed findings are broken out by type of finding and severity of thefinding in the INFOSEC Analysis section of this report Also provided is a prior-itized security road map to assist IISP in planning their security program andaddressing improvements to their security posture

environ-Organizational Assessment Findings Summary

Analysis of the assessment findings shows that the two major items that need to

be addressed within the IISP environment are a corporate-level, comprehensive,enforced security policy and general security awareness across all the IISP staff

IISP does not have a comprehensive security policy that details not only physical

security requirements but also includes information protection and computer

security considerations.These two items address approximately 80 percent of the

organizational security findings at IISP Additional findings show that IISP is not

operating as a cohesive company with common goals and objectives Although

this is common for organizations that have grown through multiple acquisitions,

it still has a major impact on the organization’s ability to address the issues related

to security

Security Horizon would like to thank all the IISP staff for their support andopenness during the assessment process.Their openness and insight were critical

to helping Security Horizon gain the information needed to complete the

assess-ment We would also like to thank Susie Shell for her assistance in locating

avail-able documentation that we reviewed It has been a pleasure to work with the

IISP staff, and we look forward to opportunities to work with you in the future

Should you have any questions, please do not hesitate to contact either member

of your assessment team

Russ Rogers, rrogers@securityhorizon.com, (719) 488-4500 office,(719) 555-1212 cell

Greg Miles, gmiles@securityhorizon.com, (719) 488-4500 office, (719)555-1213 cell

NOTE

The following are some additional examples of findings from IISP that are included in the INFOSEC Analysis section of the final report.

INFOSEC Analysis

Organizational Assessment Findings

The following findings are based on interviews with IISP IT staff.These findings

are a compilation of the thoughts and opinions of IISP staff Verification of a

finding is conducted through observation by the assessment team and/or

confir-mation with other IISP staff that are being interviewed All these interviews are

conducted in a nonattribution format to allow the interviewee to be fully open

with the assessment team

High-Severity Findings

Finding: IISP Lacks a Comprehensive Security Policy

■ Category INFOSEC Documentation

■ Severity High

■ Discussion Security policy is the foundation of an organization’s rity program It defines security requirements, accountability, and enforce-ment.The lack of a comprehensive security policy affects an organization’sability to set and enforce best practices based on industry standards.Lacking a security policy also opens an organization to noncompliancewith federal and state law and to not meeting due diligence expectations.Approximately 80 percent of the findings of this assessment are based onthe lack of a comprehensive, enforceable security policy Once a securitypolicy is sanctioned by IISP, actions can be taken to bring IISP into com-pliance with the policies that have been established

secu-■ Recommendation options

■ Option 1 (optimal) Top-down approach: Develop a comprehensive, enforceable information security policy with either IISP resources or out- side industry professionals Policy must be sanctioned and supported by IISP senior leadership team and must be enforced.This option will give IISP the quickest push toward resolution.

■ Option 2 Bottom-up approach: Develop security standards withinthe IT group and work to get them adopted as IISP standards.Thiswill require SLT sanctioning and allowance of enforceability onceadopted

Finding: IISP Employee Acceptable-Use Policy Inadequate

■ Category INFOSEC Documentation and Personnel Security

■ Severity High

■ Discussion The employee acceptable-use policy shows employees howimportant security is to the operations of IISP.The current policy,

located in the Associate Handbook titled Computer,Telephone, and E-mail

Systems, is limited to less than a page that doesn’t identify specific

com-pliance requirements and the enforcement that will occur should thepolicy be violated Because this document is signed by the employee,identifying that employee’s understanding of IISP policy, it is critical that

it be detailed and complete

■ Recommendation options

■ Update the employee acceptable-use policy to be detailed based onthe corporate security policy

Finding: No Mandated Warning

Banners on Systems and Workstations

■ Category Session Controls

■ Severity High

■ Discussion Warning banners are key elements for the legal prosecution

of unauthorized access to a system and/or improper use of a system by

an authorized system user Lack of warning banners makes it difficult toprosecute abusers In all cases, IISP legal counsel should provide andapprove any warning banner placed on the systems Warning bannerscan be generic or specific, depending on the type of system and users of

a system

■ Recommendation options

■ Define the requirement for warning banners in the to-be-developedsecurity policy Have the IISP general counsel provide warning ban-ners for each type of system in use at IISP Have the owners of eachsystem implement the warning banner

■ Define the requirement for warning banners in the to-be-developedsecurity policy Have the IISP general counsel provide an acceptablegeneric warning banner for use on all IISP systems

Medium-Severity Findings

Finding: Inconsistent Support

Plans Drive Inconsistent Account Management

■ Category INFOSEC Documentation and Account Management

■ Severity Medium

■ Discussion System support plans are supposed to mandate the accountestablishment, management, and approval process When a system sup-port plan provides weak guidance on how the approval and manage-ment process is to occur, the support desk cannot effectively manage theusers System support plans are not always created for each system Manyexisting system support plans are weak and not kept up to date whenchanges are made Weak or nonexistent system support plans create dif-ficulties with the applicable system access policies Without the properapproval process with applicable authority for access to a system, the ITsupport team cannot administer their responsibilities in a secure andefficient manner

■ Recommendation options

■ Establish and enforce a basic framework for development to use fortheir account management portion of the system support plan Makesure that security and systems support personnel are involved withthe projects as they are being rolled out to ensure an understanding

of the account management for those particular systems and toensure some level of consistency across all systems

■ Implement single sign-on throughout the IISP network.This will onlywork once IISP works out the relationships across the IISP organiza-tion to ensure that it is operating as one integrated company

Finding: No Formally Defined Security

Roles and Responsibilities Among the IT Staff

■ Category INFOSEC Roles and Responsibilities

■ Severity Medium

■ Discussion IISP information security is currently handled by vidual initiative, not by defined roles and responsibilities Empowermentand accountability for security are critical to successful security programimplementation IISP IT operations managers identified their need, andsome are working on job descriptions for their staff.The job descrip-tions do not need to identify step-by-step activities for individuals, butthey do need to identify the basic responsibilities of the positions toinclude security responsibilities.

indi-■ Recommendation options

■ Option 1: Establish comprehensive job descriptions that includeroles and responsibilities related to information security for thatposition.The specific roles and responsibilities need to be flexibleenough to allow for changes in job requirements and technology

■ Option 2: Create a generic security responsibility document forwhich all employees will be responsible

NOTE

The Conclusion section might look something like the following.

Conclusion

Prompt attention to security is needed at IISP A majority of the findings are due

to the lack of documented policies and procedures, lack of senior management

support to implement security best practices, lack of security training and

aware-ness among IISP staff, and system misconfiguration IISP can improve its security

posture by taking into consideration the enclosed recommendations

Good security is based on good policies, procedures, training, awareness,management support, and implementation Good security is also based on a

sound security architecture utilizing the correct products in the correct locations

on the network Ultimately, good security can help save IISP money by reducing

redundancy of duties across the staff, reducing the amount of time spent

addressing security incidences, and standardizing products and procedures across

the enterprise

The recommendations are suggested guidelines, not requirements, to helpIISP improve its overall security posture Implementation of any of the recom-mendations should be at the discretion of IISP management.

IISP has demonstrated a desire to improve its security posture IISP has a ented technical staff that needs senior management support to break through thepolitical barriers that are preventing them from successfully implementing

tal-improvements at IISP

It has been a pleasure to work with the IISP staff, and we look forward toopportunities to work with you in the future Should you have any assessmentquestions, please do not hesitate to contact either of your assessment team mem-bers

Russ Roger, rrogers@securityhorizon.com, (719) 488-4500 office, (719)555-1212 cell

Greg Miles, gmiles@securityhorizon.com, (719) 488-4500 office, (719)555-1214 cell

Results

Overall, IISP was very receptive to Security Horizon’s recommendations and isutilizing the provided road map to improve its security posture through phasedimplementation of the appropriate recommendations

WARNING

Even when the customer is very receptive of the assessment results, they will likely have to implement solutions in phases based on available funding, political roadblocks, and available staff and time resources Opportunities may exist here to do additional support work for the cus- tomer, but that should not be your primary focus

The assessment team is approaching the end of the assessment process, but the

work is not yet complete.Two to eight weeks of work remain to finalize the

anal-ysis, put together the discussion on the impact of vulnerabilities to the customer,

and create useful recommendations for the customer to consider implementing

Begin the analysis process as soon as you return from the onsite visit.The longer

the assessment team waits to begin analysis, the more that can be forgotten

Taking the steps to prepare for conducting analysis helps get the assessmentteam focused on the required tasks and assists in providing an organized environ-

ment in which to work.These efforts include conducting assessment team

meet-ings and making writing assignments to the appropriate individuals It also

includes taking the time to review in detail the information collected at the

onsite visit and formulating the actual list of findings

The actual analysis process is not an individual effort.The assessment teamshould meet several times to complete the full list of findings and decide on

appropriate recommendations.The assessment team may be able to collectively

identify vulnerabilities that they would have missed individually Any look at

vul-nerabilities should include consideration of the overall risk to a customer.This

includes an analysis of threats, vulnerabilities, and the customer’s asset value or

impact on the customer Risk plays a key role in the recommendations you make

to improve the organization’s security posture

The final report is the key deliverable for the entire process.The reportshould include detailed information about the assessment process, the purpose of

the assessment, information criticality, system information and criticality, actual

detail about vulnerabilities, positive findings, and an overall determination of the

customer’s security posture As a formal document, it should meet common-sense

standards for organization, flow, grammar, and spelling.The final report should

also meet your organization’s legal requirements for a deliverable Don’t forget to

attach the assessment plan to the final report

Use common sense and review the assessment requirements when doing theanalysis and preparing the reports to ensure that customer expectations are met

Keep communicating with the customer throughout the entire process, and

things will flow much more easily

Best Practices Checklist

Preparing for Analysis

Don’t delay in starting the analysis process; begin as soon as you returnfrom the onsite visit

Utilize assessment team meetings to pull together the findingsinformation

Manage the process to ensure success

Keep communicating with the customer

Understanding Findings (Doing the Analysis)

Threats, vulnerabilities, and asset value (or impact) play a major role inassessing the overall risk to a customer Vulnerabilities are the areas inwhich a customer has the greatest control over their risk

Analyze both negative and positive findings to create a true picture ofthe customer’s security posture

Make multiple recommendations for each finding, where possible, togive the customer action options

Preparing and Formatting the Final Report

Deliver the final report early, not late

Be clear and concise with findings, discussion, and recommendations

Be sure to address contractual needs to close out the assessment process